False Posative

Today’s scan showed I believe a false positive. It’s in the system recovery partition from HP. It’s Vista 64 bit. I’ve got the free Avast version 5.0.677. Here is the log entry for today

  • avast! Scan Report
  • This file is generated automatically
  • Scan name: Full system scan
  • Started on: Saturday, February 05, 2011 11:25:27 AM
  • VPS: 110205-0, 02/05/2011

E:\hp\Drv\APP10373\src\KbdStub.exe [L] Win32:Malware-gen (0)
Infected files: 1
Total files: 304849
Total folders: 26160
Total size: 349.9 GB

  • Scan stopped: Saturday, February 05, 2011 11:41:46 AM
  • Run-time was 16 minute(s), 19 second(s)

I sent the Log to Avast.
Joe

Did you send the file to avast as well?

There was another thread about this: http://forum.avast.com/index.php?topic=70768.15

A forum search for KbdStub.exe would have found a report on this already, but this should have been in the Viruses and Worms forum.

The log won’t help what will is the file sample.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

I sent the file from the chest. I looked by topic and didn’t see the other post I thought it was recent but must have missed it. I finally got it zipped. I checked on Jotti and there was only 1 pos VBS antivirus. Virus total must be backed up after 45 min it’s still in que.
Joe

Jotti isn’t as good as virustotal as basically it is using linux versions of the scanners and there are less of them. VirusTotal is using windows versions and there are currently 43 different scanners.

So I tend to think it is worth the wait.

If you send the file from the chest there is no need to zip the file and email it, that is just another method.

Virus Total showed Avast, GData, Jiangmin, and VBA32 positive and all others negative.
Joe

Well gdata uses avast as one of its two scanners, so if it uses the same malware name that is one, the other two scanners, especially Jiangmin I’ve never heard of.

So yes you should send it to avast for analysis.

Today’s update fixed it. I scanned the file in chest and they are OK now.
Joe

You’re welcome.

If you haven’t already done so (or need to) you can restore the file from the chest. Thanks for the feedback.

All taken care of. I received an actual email from Jiri Sejtko confirming it was a false positive and that it would be fixed in today’s update. Quite pleasant considering most companies use the canned replies if they even bother at all. Back when I was slipstreaming XP I sent programs and apps that I knew to be safe but detected as a virus with the appropriate links and they were usually fixed in a day or two. It’s pretty rare to deal with a company today that actually does care about their customers.
Joe

Well you are honoured, you don’t always get a direct reply unless they need more information ;D

Normally they will quickly do the analysis and correct the virus signature in the case of an FP.

There Should be a option too add it too exceptions etc right click exceptions

It has been said many times by avast, they won’t do that as it gives a single click exclusion which would allow you to run the file (which avast considers infected). If it isn’t an FP or if accidentally used on a virus/worm/malware file it could leave the users system beyond the users control and infected.

That is why the addition to exclusions is a deliberate manual act.